I suspect there was a drop-in maps widget the developers used so they wouldn’t
have to implement any logic to translate scrolling and zooming to a bounded
rectangle of latitude and longitude.

Submitting a Report

To submit a report, I had to give my first and last name, my email address
and my “Passport”. Nothing was explained about what this “passport” field represented:
a passport number? A country from which I have a passport? It seems like a
very unusual, and highly personal piece of information to collect.

Luckily the lack of validations accepted "eh" and I was able to submit
a test report

Create User

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

POST http://www.iseaapp.com/api/user/save HTTP/1.1

Host: www.iseaapp.com

Content-Type: application/json

Connection: keep-alive

Connection: keep-alive

Accept: application/json

User-Agent: I%20SEA/1.11 CFNetwork/758.4.3 Darwin/15.5.0

Content-Length: 128

Accept-Language: en-us

Accept-Encoding: gzip, deflate

{

"lastname":"smith",

"uuid":"BE4D6A15-****-67A83DB43EF4",

"passport":"eh",

"firstname":"John",

"email":"m@mailinator.com"

}

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2016 01:13:23 GMT

Server: Apache/2.2.15 (CentOS)

Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT

Access-Control-Allow-Origin: *

Content-Length: 94

Connection: close

Content-Type: text/html; charset=UTF-8

{

"res":"success",

"user_id":"330",

"firstname":"John",

"lastname":"smith",

"message":"Registered"

}

Save Report

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

POST http://www.iseaapp.com/api/reports/set HTTP/1.1

Host: www.iseaapp.com

Content-Type: application/json

Connection: keep-alive

Connection: keep-alive

Accept: application/json

User-Agent: I%20SEA/1.11 CFNetwork/758.4.3 Darwin/15.5.0

Content-Length: 1734919

Accept-Language: en-us

Accept-Encoding: gzip, deflate

{

"comments":"test",

"user_id":"330",

"screenshot":" *** LONG STRING OMMITTED ***",

"latitude":34.135643,

"longitude":15.307302,

"user_id":"330"

}

HTTP/1.1 200 OK

Date: Mon, 20 Jun 2016 01:13:24 GMT

Server: Apache/2.2.15 (CentOS)

Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT

Access-Control-Allow-Origin: *

Content-Length: 126

Connection: close

Content-Type: text/html; charset=UTF-8

{

"res":"success",

"report_id":"560",

"message":"Registered",

"userMailAck":{

"res":"success"

},

"acknowledgement":{

"res":"success"

}

}

The submission did include the latitude and longitude of the area
in which I clicked, along with a text encoded “screenshot”. The screenshot
is encoded in a format I’m not familiar with and haven’t yet decoded.

If anyone recognizes this encoding (its not base64) please let me know and
I’ll see about decoding the whole string.

Update: It is base64 after-all, but the JSON encoding did some escaping. I deleted
\r\n characters and turned \/ into literal / and was then able
to base64 decode the string into a png file. HT: @joe_h_punk

Email

Finally, the mailinator account I used to sign up received an email

Dear John

Thank you for helping us test out this application. We will not be able to give individual details to you due to the high volume of responses but we will be informing our users of the effects their efforts have had after the testing period is over. Your efforts will help transform ours.

Thanks,
I SEA Team

It’s interesting that they are calling it a test. I didn’t read all the
news coverage, but I’m not aware of any indicating it was anything other
than a real app.

Conclusions

None of the technical discovery really points to a motivation and I don’t
care to speculate on that front.

From the app level, all the infrastructure they would need to actually
work is there: the API could point different users to different images, and
it does appear to accept all the data you might expect for a given report.

It just seems its not actually hooked up to anything, and in fact, would
likely be prohibitively expensive to do so.